Summary
What is an Enterprise Authenticator?
YubiOn FIDO Logon supports the Enterprise Attestation feature, an additional mechanism in the FIDO2 scenario.
The Enterprise Attestation feature requires an authenticator that supports this function. In YubiOn FIDO Logon, an authenticator compatible with this Enterprise Attestation feature is referred to as an “Enterprise Authenticator.”
Normally, passkeys (FIDO authentication) cannot identify the authenticator used by the end user. As a result, end users are free to register any authenticator. However, some companies may find it insufficient for end users to simply have passkeys and may want to ensure that only authenticators prepared by the company are used.
Enterprise Attestation provides a function that uniquely identifies authenticators and determines whether their use is permitted. It is designed to meet the needs of companies with such requirements.
This section explains the overview of enterprise authenticators in FIDO Logon, as well as the preparations and procedures for using them.
What You Can Do with an Enterprise Authenticator
By using enterprise authenticators and their features, you can restrict the authenticators that can be used within YubiOn FIDO Logon.
This allows companies to ensure that only authenticators prepared by administrators are used by end users. Additionally, since it is possible to identify which end user is using which authenticator, asset and inventory management can be effectively conducted.
YubiOn FIDO Logon Settings
In YubiOn FIDO Logon, you can restrict the authenticators used for authentication to enterprise authenticators in the following scenarios:
- When a local account logs on to a PC
- When a domain account logs on to a PC
- When an administrator logs in to the YubiOn FIDO Logon management website
The restriction can be configured using different patterns, allowing you to select and set the appropriate option according to your operational policy.
- Only enterprise authenticators can be registered … Any enterprise authenticator registered to the customer can be used.
- Only enterprise authenticators assigned for the account can registered … Only enterprise authenticators pre-assigned by the administrator can be used.
- All FIDO authenticators can be registered … All authenticators can be used (no restrictions).
| Set value | General Authenticator | Unassigned enterprise authenticators for users | Enterprise authenticators assigned to users |
|---|---|---|---|
| Only enterprise authenticators can be registered | Non-registrable | Registrable | Registrable |
| Only enterprise authenticators assigned for the account can registered | Non-registrable | Non-registrable | Registrable |
| All FIDO authenticators can be registered | Registrable | Registrable | Registrable |